There are two different types of reports: periodic scanning reports, which are generated by default, and PDF reports, which can be generated by admins.
- Periodic scanning reports: By default the periodic scanning in
the Specops Password Policy Sentinel Service
runs every night on the PDC emulator. During the periodic scanning,
actions are taken to for instance expire passwords and handle breached
passwords. Specops Password Policy Sentinel
saves information from the periodic scanning. The
Domain Administration Tool can show this
information, but it is also possible to get the information using
Windows PowerShell 5.1 CmdLets if automation is preferred.
- PDF reports: Specops Password Auditor is
basically a tool for generating PDF reports listing risks around
password policies and user accounts in Active Directory. Apart from
manually generating reports in
Specops Password Auditor,
Specops Password Policy users can generate
(scheduled) reports using a Windows PowerShell 5.1 CmdLet.
Periodic Scanning reports vs Password Auditor PDF reports
There is a fundamental difference between Periodic Scanning reports and
reports generated through
Specops Password Auditor. Reports generated from
the periodic scanning in
Specops Password Policy contain information
about actions performed on users in the periodic scan, such as
passwords found to be breached. It is the result of a periodic scan
performed previously at a certain time. Reports generated from
Specops Password Auditor, on the other hand,
contain a different information set, related to
risks around users and password policies. It is a snapshot of
information gathered, but no actions have been performed on users.
Periodic Scanning reports
The SPP admin tool PowerShell module contains the following cmdlets
related to periodic scanning:
Get-SppPeriodicScanningResultList
:
lists the available periodic scanning results from the domain
controller.
Get-SppPeriodicScanningResult
:
returns summary information of the latest periodic scanning, or, if
specified, a specific user counting id. No user information is provided
in this result set.
Get-SppPeriodicScanningResultUsers
:
returns information of the users from the latest periodic scanning, or
if specified, a specific user counting id.
Note that the above cmdlets return information from a periodic scan that
has been performed, but do not start a new periodic scan.
Specops Password Auditor PDF reports
The SPP admin tool PowerShell module contains the following cmdlet related
to Password Auditor PDF reporting:
New-SpaReport
: scans information from
Active Directory and generates a PDF report. It is recommended to
carefully consider how often and when to run this command, as it causes
load on the domain controller.
With this command it is for instance possible to generate a report that can be
sent as e-mail to a CISO to provide a weekly status.
While the SPA tool scans for users with breached passwords found in the
Express list, those reports are not part of the PDF generated from the
cmdlet. If information about users with breached passwords are of
interest, it is recommended to use the
Get-SppPeriodicScanningResultUsers
cmdlet. Note that this does not generate a
Specops Password Auditor PDF report, but a
Periodic Scanning report in
Specops Password Policy.
Scheduling reports from Specops Password Auditor
Using the cmdlet above and Windows task scheduler it is possible to
schedule report generation.
Below is an example script of a generated PDF report sent as an email to the organization's CISO.
-
Create a script file named reporting.ps1. For this example the
file is saved here:
C:\pdf_reports\scripts\reporting.ps1
-
Include the following code in the script file:
Copy$out_folder = 'C:\pdf_reports\out'
$pdf_report_path = New-SpaReport -OutputDirectory $out_folder -Verbose 4> $out_folder\log.txt
Send-MailMessage -Subject 'SPA report' -To 'ciso@acme.org' -From 'automated-reporting@acme.org' -SmtpServer 'smtp.acme.org' -Port 587 -Attachments $pdf_report_path
Make sure to set your preferred output path for $out_folder, and to input the correct email parameters for your setup.
NOTE
It is recommended to run this on a server that is not a domain
controller.
-
Create a scheduled task in Windows task scheduler.
- Select Action > Create Basic Task
- Give it a name.
- In the Trigger section, set your preferred interval.
-
In the Action section, select Start a Program:
- Program:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Add argument:
C:\pdf_reports\scripts\reporting.ps1
Since some of the reports contain password-related information, domain administrative permission is required. It is recommended to run the scheduled task as a domain admin account dedicated for this purpose.